@blamejs/exceptd-skills 0.15.13 → 0.15.14

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.14 — 2026-05-29
+
+Draft-curation pass 12 — legacy Microsoft client-side RCEs. Six CISA KEV-listed older Microsoft document / browser / font-parsing RCEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Office (CVE-2009-0238), PowerPoint (CVE-2009-0556), Excel (CVE-2007-0671), Internet Explorer (CVE-2010-3962 — a landmark IE zero-day from the Operation Aurora era), Windows TrueType font parsing (CVE-2011-3402 — the Duqu zero-day), and Windows InformationCardSigninHelper ActiveX (CVE-2013-3918). All map T1203 (Exploitation for Client Execution). The lessons frame these as long-tail KEV re-listings — the patch landed years ago, but CISA re-lists because unpatched legacy estates remain exposed; centralized patch management plus Office hardening (Protected View, ASR rules) are the load-bearing controls.
+
 ## 0.15.13 — 2026-05-29
 
 Draft-curation pass 11 — Citrix. Six CISA KEV-listed Citrix CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: four NetScaler ADC/Gateway appliance flaws (CVE-2026-3055 and CVE-2025-5777 — the CitrixBleed-class out-of-bounds reads that disclose authenticated session material; CVE-2025-7775 and CVE-2025-6543 memory-corruption buffer flaws) and two Session Recording flaws (CVE-2024-8069 deserialization RCE and CVE-2024-8068 privilege escalation). The CitrixBleed entries map T1552 alongside T1190 to surface session-token theft, and the lessons stress session termination + secret rotation (memory-disclosure class) and appliance rebuild (RCE class) as required steps beyond the patch.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T20:35:07.738Z",
+  "generated_at": "2026-05-29T20:50:15.179Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "8fe3f27879a535ce7242433d0a93dc71146f6a9f7fddc1fd9869c9f8270e1ea6",
+    "manifest.json": "07a6b22fe3f85de5ff139faa70278981d59d6eeec0c465fb0a8559724df50617",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "d139db4dc4cb4ec2be0ba517bbfa541215053aa6fa3aa1544dd061711d1acd8e",
-    "data/cve-catalog.json": "b24fe940b9752fd8ec37ec03954b0b99c8de523b1a5b6a7b79e2f55e3327baea",
+    "data/attack-techniques.json": "523e511ea16852804bb9c5a7b898b64d39180164e3a3eb09a88df10c84d46bf2",
+    "data/cve-catalog.json": "f2ea8df743747001bd8ba86b6353fc76dbd5cb1a8bf8b99d7f9ac8e0addccec3",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "a127b709dee1473f21804a85150aabfe1072e95443292d853b1fc6de554b4825",
+    "data/zeroday-lessons.json": "4a5cb953b7645f0d8cf5463f9aa7abea1dc56bca8293e5148458e7d047c0ea18",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -898,16 +898,10 @@
     "name": "Exploit Public-Facing Application",
     "version": "v19",
     "cve_refs": [
-      "CVE-2007-0671",
       "CVE-2008-0015",
-      "CVE-2009-0238",
-      "CVE-2009-0556",
       "CVE-2010-3765",
-      "CVE-2010-3962",
-      "CVE-2011-3402",
       "CVE-2012-1854",
       "CVE-2013-3893",
-      "CVE-2013-3918",
       "CVE-2014-6278",
       "CVE-2016-10033",
       "CVE-2016-7836",
@@ -1301,10 +1295,16 @@
     "name": "Exploitation for Client Execution",
     "version": "v19",
     "cve_refs": [
+      "CVE-2007-0671",
+      "CVE-2009-0238",
+      "CVE-2009-0556",
       "CVE-2009-1537",
       "CVE-2009-3459",
       "CVE-2010-0249",
       "CVE-2010-0806",
+      "CVE-2010-3962",
+      "CVE-2011-3402",
+      "CVE-2013-3918",
       "CVE-2014-3931",
       "CVE-2018-14634",
       "CVE-2020-9715",

package/data/cve-catalog.json

@@ -9152,7 +9152,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -9173,7 +9173,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-009",
@@ -9202,11 +9202,21 @@
         "published_date": "2026-04-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-14; due date 2026-04-28. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-009 ; https://nvd.nist.gov/vuln/detail/CVE-2009-0238",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with a code-injection / memory-corruption flaw (CWE-94) in Microsoft Office document parsing on an affected endpoint.",
+        "Inbound delivery of weaponized Office content (a document, web page, or embedded font) followed by unexpected child-process execution from the Office process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2009-0238, CISA KEV (added 2026-04-14), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-32201": {
     "name": "Microsoft SharePoint Server Improper Input Validation Vulnerability",
@@ -27177,7 +27187,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -27198,7 +27208,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-017",
@@ -27227,11 +27237,21 @@
         "published_date": "2026-01-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-07; due date 2026-01-28. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-017 ; https://nvd.nist.gov/vuln/detail/CVE-2009-0556",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office PowerPoint at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with a code-injection / memory-corruption flaw (CWE-94) in Microsoft Office PowerPoint document parsing on an affected endpoint.",
+        "Inbound delivery of weaponized PowerPoint content (a document, web page, or embedded font) followed by unexpected child-process execution from the PowerPoint process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2009-0556, CISA KEV (added 2026-01-07), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-37164": {
     "name": "Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability",
@@ -32068,7 +32088,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32089,7 +32109,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2458511?redirectedfrom=MSDN",
@@ -32118,11 +32138,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2458511?redirectedfrom=MSDN ; https://nvd.nist.gov/vuln/detail/CVE-2010-3962",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Internet Explorer at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with an uninitialized-memory / use-after-free corruption flaw (CWE-94) in Internet Explorer on an affected endpoint.",
+        "Inbound delivery of weaponized Internet Explorer content (a document, web page, or embedded font) followed by unexpected child-process execution from the Internet Explorer process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2010-3962, CISA KEV (added 2025-10-06), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-43226": {
     "name": "Microsoft Windows Privilege Escalation Vulnerability",
@@ -32259,7 +32289,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32280,7 +32310,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090",
@@ -32309,11 +32339,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090 ; https://nvd.nist.gov/vuln/detail/CVE-2013-3918",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with an out-of-bounds write / memory-corruption flaw (CWE-94) in a Microsoft Windows component reachable from Internet Explorer (the InformationCardSigninHelper ActiveX control) on an affected endpoint.",
+        "Inbound delivery of weaponized Windows InformationCardSigninHelper / ActiveX content (a document, web page, or embedded font) followed by unexpected child-process execution from the Windows InformationCardSigninHelper / ActiveX process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2013-3918, CISA KEV (added 2025-10-06), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2011-3402": {
     "name": "Microsoft Windows Remote Code Execution Vulnerability",
@@ -32355,7 +32395,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32376,7 +32416,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087",
@@ -32405,11 +32445,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087 ; https://nvd.nist.gov/vuln/detail/CVE-2011-3402",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with a memory-corruption flaw (CWE-94) in the Windows TrueType font parsing kernel component on an affected endpoint.",
+        "Inbound delivery of weaponized Windows TrueType font parser content (a document, web page, or embedded font) followed by unexpected child-process execution from the Windows TrueType font parser process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2011-3402, CISA KEV (added 2025-10-06), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2010-3765": {
     "name": "Mozilla Multiple Products Remote Code Execution Vulnerability",
@@ -35416,7 +35466,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35437,7 +35487,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-015",
@@ -35466,11 +35516,21 @@
         "published_date": "2025-08-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-12; due date 2025-09-02. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-015 ; https://nvd.nist.gov/vuln/detail/CVE-2007-0671",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website. An attacker could leverage this vulnerability by creating a specially crafted Excel file, which, when opened, allowing an attacker to execute remote code on the affected system."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website. An attacker could leverage this vulnerability by creating a specially crafted Excel file, which, when opened, allowing an attacker to execute remote code on the affected system.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office Excel at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with a code-injection / memory-corruption flaw (CWE-94) in Microsoft Office Excel document parsing on an affected endpoint.",
+        "Inbound delivery of weaponized Excel content (a document, web page, or embedded font) followed by unexpected child-process execution from the Excel process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2007-0671, CISA KEV (added 2025-08-12), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2013-3893": {
     "name": "Microsoft Internet Explorer Resource Management Errors Vulnerability",